Rolling Out Remote Access

This topic includes information about rolling out Enterprise Access Management for MFA (formerly Imprivata Confirm ID) remote access with Citrix NetScaler Gateway to your users.

BEST PRACTICE:

To plan your rollout and learn how Remote Access works, start here.

Rolling Out Remote Access

Now that the gateway software and the Imprivata appliance are configured to communicate with each other, you can roll out Enterprise Access Management for MFA to your users.

You control how your users enroll and log in with Enterprise Access Management by organizing users into user policies, then associating those user policies with the Remote Access workflow and enroll rules.

Some examples of how you may want to organize your users:

  • IT pilot — If you'd like to validate your configuration through an IT pilot, create a user policy that contains only your pilot users. Later in this process you can activate Remote Access for only the pilot group.
  • Phased rollout — After you've validated your enrollment, you can introduce Enterprise Access Management Remote Access one department at a time. Organize departments into user policies, and associate them with the Remote Access workflow and your enroll rule when you're ready to "go live".
  • Off-site users — If some of your users rarely come into the office, organize them into a user policy; you can allow them to enroll Imprivata ID and their phone number before they access the VPN (RADIUS client).
  1. In the Imprivata Admin Console, go to Users > User Policies select the user policies that will be associated with Remote Access. Use existing policies, make copies of existing policies, or create policies from scratch.
  2. Go to Users > Users. Choose who will be using Remote Access, and apply a user policy to them. Every user in a policy will receive Remote Access when it's associated with the Remote Access workflow (later in this process).

For complete details on organizing users, see Managing User Accounts.

Confirm authentication methods required for Remote Access.

  1. In the Imprivata Admin Console, go to Users > Workflow policy.
  2. By default, the Remote Access Log in workflow is configured for:
    • Password + Imprivata ID, and
    • Password + SMS code
  3. If you want to change how your users access the VPN (RADIUS client), go to the section Remote access workflows and make your changes. For complete details on configuring workflow policies, see Configuring the Workflow Policy.
  4. Do not associate any user policies with this workflow yet; you will "go live" with Remote Access later in this section.
  5. Click Save.

NOTE: If you have users who cannot use a mobile device in the workplace, Enterprise Access Management Remote Access also supports native integration with VASCO tokens. See Managing VASCO OTP Tokens.

Your users need to enroll the Imprivata ID app, and/or their phone number for SMS code authentication. Remote Access enables enrolling while logging in to your VPN gateway, and enrolling at the Imprivata agent connected to your enterprise network.

Provide a descriptive name and configure an enrollment rule. You will associate one or more user policies with this rule later. You can add additional rules with different options for other user policies.

Access for Unenrolled Users

Before enrolling Imprivata ID or SMS code, users can access the VPN with password alone.

Or you can require "a different login method" for your unenrolled users. This setting is intended for users logging in with:

  • Password + OTP token,
  • PIN + OTP token, or
  • an OTP token.

When configuring the enroll rules, if you select "a different login method" but don't select one of these methods in the Log in section, these users will be blocked. Users who have been assigned a temporary code will still have access.

NOTE: If you have users who have already enrolled Imprivata ID (providers who already use Imprivata ID for signing orders, for example), they won’t have the option to access the VPN (RADIUS client) with password only – they must use password + Imprivata ID to sign in if the Remote Access workflow includes Imprivata ID.

To view a list of users who have already enrolled Imprivata ID— in the Imprivata Admin Console, go to Reports > Enrolled users report, customize the report as needed, and click Run. For more details, see Step 6: Who Hasn't Enrolled Yet?

Choose Where Users Can Enroll

Enterprise Access Management Remote Access offers options for enrolling Imprivata ID and phone numbers for SMS authentication:

A user can always enroll in the Imprivata agent — A user can always enroll at a computer with the Imprivata agent connected to the Imprivata appliance, or they're outside your enterprise network using a virtual desktop connection. They can access the Imprivata enrollment utility and enroll their Imprivata ID and/or phone number. You have the option of prompting unenrolled users to do so.

Prompt the user at the remote client — This method is ideal for users who do not come into the office often: a user is logging into your VPN (RADIUS client) from outside your enterprise network. After the user has successfully entered their username and password, your gateway will prompt the user to enroll their Imprivata ID and/or phone number.

NOTE:

In this scenario, users can enroll Imprivata ID and their phone number remotely by providing their username and password only. For added security during remote enrollment, you can generate a temporary code for each user and place them in a user policy that allows remote enrollment but requires two-factor authentication when logging in remotely. In this scenario, they would enter their username, password, and temporary code before they could remotely enroll Imprivata ID or their phone number. See Temporary Codes for Remote Access..

Do not prompt — With this selection, users will not be prompted, but they can still enroll authentication methods when the Imprivata agent is connected to the Imprivata appliance, or they're outside your enterprise network using a virtual desktop connection. Users cannot enroll in the remote client unless you prompt them.

Choose Whether Users Can Delay

If you discover some users delay enrollment and continue to log in using their username and password only, you can force them to enroll before they access the VPN. If you allow users to delay enrollment, they can delay indefinitely; to track these users who have not enrolled, see Rolling Out Remote Access

Your browser may be blocking Enterprise Access Management's login user interface because the browser's Content Security Policy prohibits content that the user did not request from the Imprivata cloud.

  1. Run the following Powershell command to inject a script that adds an exception to the Content Security Policy:

    Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' 'unsafe-inline' 'unsafe-eval' impr1.co; img-src 'self' data:;"

  2. Restart all your AD FS servers for this exception to take effect.

Validate your Remote Access configuration by piloting it with a small group of users. If you did not create a user policy dedicated exclusively to this IT pilot, return to Step 1 and create one now.

Associate an IT pilot user policy with the Remote Access workflow and Enroll rules:

  1. In the Imprivata Admin Console, go to Users > Workflow Policy > Remote access workflows.
  2. In the section Log In, click Associate user policies.
  3. Choose your IT pilot user policy from the list.
  4. In the section Enroll, click Associate user policies.
  5. Choose your IT pilot user policy from the list.
  6. Click Save. Enterprise Access Management enrollment and remote access are now live only for the users in the pilot.

Step 4: Notify Users

Before you "go live" with Enterprise Access Management Remote Access, introduce this new system to your users. Let them know what to expect; request users enroll Imprivata ID and/or their phone number by a certain date, after which two-factor authentication will be enforced.

The Imprivata ID User Rollout Kit includes an email template "Introducing Enterprise Access Management Remote Access" that you can use to announce Remote Access support to your users; the HTML file includes a link for downloading the Imprivata ID app and instructions on how to enroll their Imprivata IDs. Paste the template into an email and customize for your enterprise.

Associate user policies with the Remote Access workflow, and associate user policies with an enroll rule:

  1. In the Imprivata Admin Console, go to Users > Workflow Policy > Remote access workflows.
  2. In the section Log In, click Associate user policies.
  3. Choose user policies from the list.
  4. In the section Enroll, select an enroll rule and click Associate user policies.
  5. Choose user policies from the list.
  6. If you have more than one Enroll rule and need some users to use it, select another enroll rule and click Associate user policies.
  7. Choose user policies from the list. A user policy can only be associated with one enroll rule.
  8. Click Save.

Generate a list of users that haven’t enrolled yet. When you’re ready to enforce two-factor authentication, you can then contact these users directly, and/or enforce enrollment.

  1. In the Imprivata Admin Console, go to Reports > Add New Report.
  2. On the Add New Report page, go to MFA > Unenrolled users (Remote access).
  3. On the Add report page, customize the report and filters as needed.
  4. Run, save, and/or export the report results to a CSV file.
  5. The report includes the unenrolled users' email addresses; use the CSV file to bulk email all unenrolled users and instruct them to enroll.

For complete details on Imprivata reporting, see Using Reporting Tools.

Prompt Users to Enroll

Prompt users to enroll Imprivata ID and/or their phone number:

  1. In the Imprivata Admin Console, go to Users > Workflow Policy > Remote access workflows.
  2. In the section Enroll > Enroll prompts, select prompts in the Imprivata agent and/or the remote client.
  3. In the section Enroll > Delay, you can require them to enroll Imprivata ID or their phone number before accessing the VPN.
  4. Click Save.

After a user enrolls Imprivata ID or their phone number, this prompt will no longer appear.

Step 7: Future Rollouts

You can repeat steps 5 and 6 with more users in your enterprise, and new hires in departments already using Remote Access.